Modernizing Authentication — What It Takes to Transform Secure Access
A funny thing can happen when you accept a friend request on Facebook. You can get back in touch with an old high school buddy. You can get a look at your sisters latest baby pictures. Or you could end up in jail.
Thats exactly what happened to Rod Coronado earlier this summer, when he was sentenced to four months in prison after he did nothing more noisome than accepting one of those pesky friend pings on Facebook.
The details of the case offer a little insight and, hopefully, a glimmer of hope for you and me that we wont meet the same fate: Coronado, an environmental and animal rights activist, was already on probation for prior crimes, and the friend request he accepted was from Mike Roselle, a former Greenpeace director. Coronados probation officer said that Coronados virtual friendship with Roselle was the equivalent of consorting with known criminals, a definitive no-no in the probation world.
That, of course, is the catch: Theres no evidence that Coronado ever met Roselle in person, or in fact ever knew him at all. Facebook makes such random connections simple and in fact it readily encourages them. Take a look at your own friends list on Facebook and youll probably find more than a few people there who youve never met.
As well, you will probably find people whose name means nothing to you at all. Perhaps someone you met at a party years ago and have long since forgotten. An old elementary school chum you cant remember at all, but who was friends with all the school buddies you do remember, so you felt guilty about not accepting his friend request. Or perhaps among your Facebook friends, there really is a complete stranger who added you by mistake and you, thinking the name sounded familiar, accepted the request. Maybe you accidentally clicked accept instead of ignore. Maybe its just a spam account. Who knows?
The point is that, try as we might to keep our online and social networking identities private and secure, they are increasingly meaningless and cluttered with junk. But as the case of Rod Coronado shows, that junk can have consequences.
Social networking without a safety net
Coronado certainly isnt alone in being negatively impacted by Facebook and other social network activity. Its now almost commonplace that students who post evidence of illegal activity (usually alcohol or drugs) on pages accessible to school administration face disciplinary action for their wrongdoing, based solely on the evidence that they themselves have provided. Employees are regularly terminated for updating their Facebook status (Having a blast at the beach!) when they claim to be taking a sick day. Gang members have been linked to one another through the follow history of their Twitter accounts a medium growing in popularity as a communication system for the criminal underground.
Now the question must be asked: What impact might otherwise innocent Facebook activity have on corporate endeavors, criminal or otherwise?
Consider a scenario where a manager at your company accepts a friend request from a competitor. All in the name of collegiality, of course. Perhaps the two met at a trade show or conference, or maybe they worked together at an old company. Now lets say there are allegations of price fixing in your industry, perhaps leveled primarily at other companies, including the competitor mentioned above. Could your company get wrapped up in said investigation simply because of the possibility of impropriety, thanks to the link between the two managers in our little example? Absolutely.
But there are far more grounded, real-world reasons to be concerned about such connections. What about headhunters in the employ of your competition: A single friend request can open the door to your company, giving that headhunter a way to figure out who else might be worth approaching to poach, since its common for co-workers to be friends on Facebook. Heck, Facebook even makes it easy by automatically lumping employees at the same company together into formal networks, which can be browsed as easily as a telephone directory.
What about the social networking ramifications of Facebook accounts: Finding a birthday, hometown, and other personal information (even the inimitable mothers maiden name) is trivial with Facebook. Does your IT department use any of this information as part of a remote password reset program?
Think about how much an absolute stranger can find out about your staff through a simple friend request. The possibilities are limitless.
Dealing with such challenges is daunting, to say the least, but the good news is youre not alone. Every company has to grapple with social networks and the new risks they introduce.
Give good guidance
The first step is, as always, policy. Employees need to know what kind of behavior is and is not appropriate on Facebook and other social networks, and management needs to make clear that an employees personal life may be fair game for sharing, but that business endeavors are certainly not. Clear rules about how these networks can be used need to be laid out and communicated clearly to staff. Some companies may have to go further. Certain employees in sensitive areas of the company may be forbidden from setting up social networking accounts at all, or at least prohibited from making them publicly viewable.
If problems arise or seem remotely likely, the company may have to move on to more serious measures, such as blocking access to these sites from the office as a measure of protection. You may not be able to stop employees from accessing them, but at least you can prevent them from doing so while theyre on the job.
Christopher Null writes about technology extensively for Wired, PC World, and Maximum PC. He was the founder and Editor-in-Chief of Mobile PC magazine and spent four years blogging about tech daily for Yahoo! You can find his running commentary at chrisnull.com.
Follow eSecurityPlanet on Twitter @eSecurityP.